Q: I want to simplify the X.509 certificate setup of our corporate website. I'd like to use a single certificate to secure the access to the different DNS namespaces that are hosted on our corporate site. On our Windows Server 2008 web servers, we host www.mycompany.net and a www.mycompany.com namespaces.

Can I use Subject Alternative Name (SAN) certificates for this purpose? If SAN certificates are a solution, can I create SAN certificates using a Server 2008 Certification Authority (CA)?

A: Yes, a Server 2008 CA can create SAN certificates, and it can include other namespaces in the SAN property of the X.509 certificates it generates.

You can use the existing Web Server certificate template to generate a SAN certificate for a web server with a Server 2008 CA. In case you're not familiar with the notion of certificate templates, they're predefined and customizable templates that define the layout and properties of the different certificate types a Windows CA can issue. You must use the Certificate Templates MMC snap-in to manage a Windows CA's certificate templates. You can open the properties of a given certificate template by double-clicking the template in the snap-in's right pane.

If you open the properties of the Web Server template, you'll notice that all of its settings other than security settings are grayed out and can't be modified. This is because it's an older (Windows 2000) template. You may need to modify the settings in the Security tab to ensure that the account that you're using to request certificates has read and enroll permissions for this template. On the Subject Name tab, in the Source of subject name section, you can see that the Supplied in the request option is enabled, as shown here.



This option forces the requestor of a web server certificate to enter additional information. In this example, it's exactly what I want, because I want to provide two different DNS namespaces that must be stored in the certificate's SAN field.

Don't forget that to enable your CA to issue certificates that are based on a certain template, you must ensure that the template is included in the CA's Certificate Templates container. To add a template to this container, start the Certification Authority MMC snap-in, right-click the Certificate Templates container, and select New Certificate Template to Issue. In the Enable Certificate Templates dialog, you can then select one or more certificate templates.

To actually request a SAN certificate for your web server, you must first log on to one of the machines for which you want to create a SAN certificate. Start the Certificates MMC snap-in and open the certificate store for the local machine (select Computer Account then Local Computer in the Select Computer dialog when you load the Certificate's MMC snap-in). Provided you have sufficient privileges, you can also open a machine's certificate store from another computer or generate the SAN certificate from any machine using the CA web enrollment interface (or from the command line using the certreq.exe utility). But in Windows Server 2008, these two methods are much more complex than simply using the Certificates MMC snap-in and the Certificate Request Wizard, which Microsoft completely redesigned for Windows Server 2008.

To start the Certificate Request Wizard, open the Personal\Certificates container in the Certificates MMC snap-in, right-click the container, and select All Tasks\Request New Certificate…. In the Select Certificate Enrollment Policy dialog, select the default Active Directory Enrollment Policy. Then, in the Request Certificates dialog, select the Web Server template.

Note that this template requires you to fill in additional info (in my example, the different DNS namespaces). To do so, click the link More information is required to enroll for this certificate. Click here to configure settings. In the Certificate Properties dialog, you can then fill in the two DNS namespaces that you want to be included in the certificate's SAN attribute, as shown here.



In the Alternative name type dropdown box, select DNS. Type the DNS name www.mycompany.net in the value field, and click Add. Repeat these actions for the other DNS namespace (www.mycompany.com) and click Apply. Finally, click Enroll to start the enrollment process.

If the enrolment is successful, the wizard will return the message "Status:Succeeded." To see the resulting certificate, click the Details button then View Certificate. You can see the content of the SAN attribute in the Details tab of the Certificate Viewer, as shown here.



Related Reading: